I was having trouble getting CRL checks working for client certificates
and it turns out that the problem is because nginx checks CRLs for all
levels of the certificate hierarchy, but the CA I am using does not
publish CRLs for intermediate certificates.
It is not uncommon for the private key of the root CA certificate to be
locked-away offline in a safe, to prevent any other intermediate
certificates from being issued. However this means that CRLs cannot be
generated for the intermediate certificates, only the leaf certificates.
Hence only the leaf certificates can be CRL checked.
The solution to this is very simple; just set X509_V_FLAG_CRL_CHECK in
OpenSSL without the X509_V_FLAG_CRL_CHECK_ALL flag.
Would you accept a patch that adds a new configuration option to nginx
to control this?
I was thinking the option might look like:
ssl_crl_check leaf; # Only check if leaf certificates have been
ssl_crl_check all; # Check the whole chain for revoked certificates
The default behaviour would continue to be to check the whole chain.
I'm happy if the following patch is merged into upstream.
Here is more detail about this patch:
Above patch is aimed to fix FTBFS on Debian GNU/kFreeBSD.
This FTBFS bug is already fixed on Debian , and patch is maintained
 nginx: FTBFS on kfreebsd: incomplete type 'struct in6_pktinfo'
I think this patch should be forwarded to upstream and merged because third
which bundles nginx on kFreeBSD also shoots in the legs without this patch.
So, I had created bugreport  that it is better to send feedback to
 nginx: Forward FTBFS patch on kFreeBSD to nginx upstream
This issue still is opened. so I've also send this mail to this mailing
NOTE: I've confirmed that above patch can be applied to current master
Kentaro Hayashi <kenhys(a)gmail.com>